brakeman-lib 4.5.0 → 4.5.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (71) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +15 -0
  3. data/README.md +6 -6
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/checks.rb +7 -7
  7. data/lib/brakeman/checks/base_check.rb +9 -9
  8. data/lib/brakeman/checks/check_cross_site_scripting.rb +5 -0
  9. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  10. data/lib/brakeman/checks/check_deserialize.rb +52 -0
  11. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  12. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  13. data/lib/brakeman/checks/check_json_parsing.rb +5 -0
  14. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  15. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  16. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  17. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  18. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  19. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +3 -3
  20. data/lib/brakeman/checks/check_secrets.rb +1 -1
  21. data/lib/brakeman/checks/check_session_settings.rb +10 -10
  22. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  23. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  24. data/lib/brakeman/checks/check_sql.rb +15 -17
  25. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  26. data/lib/brakeman/file_parser.rb +6 -8
  27. data/lib/brakeman/file_path.rb +71 -0
  28. data/lib/brakeman/options.rb +7 -0
  29. data/lib/brakeman/parsers/template_parser.rb +3 -3
  30. data/lib/brakeman/processor.rb +3 -4
  31. data/lib/brakeman/processors/alias_processor.rb +12 -6
  32. data/lib/brakeman/processors/base_processor.rb +8 -7
  33. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  34. data/lib/brakeman/processors/controller_processor.rb +5 -9
  35. data/lib/brakeman/processors/haml_template_processor.rb +5 -0
  36. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  37. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  38. data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -3
  39. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  40. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  41. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  42. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  43. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  44. data/lib/brakeman/processors/library_processor.rb +5 -5
  45. data/lib/brakeman/processors/model_processor.rb +4 -5
  46. data/lib/brakeman/processors/output_processor.rb +5 -0
  47. data/lib/brakeman/processors/template_alias_processor.rb +4 -5
  48. data/lib/brakeman/processors/template_processor.rb +4 -4
  49. data/lib/brakeman/report.rb +3 -3
  50. data/lib/brakeman/report/ignore/config.rb +2 -3
  51. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  52. data/lib/brakeman/report/pager.rb +1 -0
  53. data/lib/brakeman/report/report_base.rb +51 -6
  54. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  55. data/lib/brakeman/report/report_hash.rb +1 -1
  56. data/lib/brakeman/report/report_html.rb +2 -2
  57. data/lib/brakeman/report/report_json.rb +1 -24
  58. data/lib/brakeman/report/report_table.rb +20 -4
  59. data/lib/brakeman/report/report_tabs.rb +1 -1
  60. data/lib/brakeman/report/report_text.rb +2 -2
  61. data/lib/brakeman/rescanner.rb +9 -12
  62. data/lib/brakeman/scanner.rb +19 -14
  63. data/lib/brakeman/tracker.rb +4 -4
  64. data/lib/brakeman/tracker/collection.rb +4 -3
  65. data/lib/brakeman/tracker/config.rb +6 -0
  66. data/lib/brakeman/util.rb +1 -147
  67. data/lib/brakeman/version.rb +1 -1
  68. data/lib/brakeman/warning.rb +23 -13
  69. data/lib/brakeman/warning_codes.rb +1 -0
  70. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  71. metadata +20 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 142b7260d9ae378b1dd4126d00979b892c6931b601865e20a883a0e8444cd225
4
- data.tar.gz: 53d73341cd37a589a8483c9bdf59be6f5b8c350c48466e02479609c66d4da264
3
+ metadata.gz: 4335b21ba5c11b4a21f8f31f38f612f9153b7778d0c8c5fba9d1efbcfba6e16a
4
+ data.tar.gz: 257d1b9f190b517d0b16859acc438870478d54a9ce71ed09f1e8ba01365095ac
5
5
  SHA512:
6
- metadata.gz: 6b555893cb7d94bddab5f9a3f824024050b098e08706fdb40e8a3f2ce9b7f3dc31bae1235bb998e71e09170eedcae508c3fae20900e58e57b0ce095e99ff5022
7
- data.tar.gz: 78bb4ca1c4892027cec86157bf96dbf7ac8dcf84fde1a5585181304f72d575fd935a990cf8027985e5e756ce8cd4fe8bac40573911bd903434b886e1d1a3ca94
6
+ metadata.gz: 7055bf420077bac2ae9b4a5a86616d8aa2663efe81414b4688b22b1af6558b6f3aa563fe7292e5bf3b50a4159e770c5096ecc4d4b7e452953614809843baab58
7
+ data.tar.gz: e5f3c8e3d5d66a652f1c6e0d6b1727db400b7db0d07a9f37a43df256da2cb71710a5e86f244cfe9994d309af6e77925623fa1496a930875693fa836c9a56a492
data/CHANGES.md CHANGED
@@ -1,3 +1,18 @@
1
+ # 4.5.1
2
+
3
+ * Add `Brakeman::FilePath` to represent file paths
4
+ * Handle trailing comma in block args
5
+ * Properly handle empty partial name
6
+ * Use relative paths for `__FILE__`
7
+ * Convert `!!` calls to boolean value
8
+ * Add optional check for `config.force_ssl`
9
+ * Remove code for Ruby versions prior to 1.9
10
+ * Check `link_to` with block for href XSS
11
+ * Add SQL injection checks for `find_or_create_by` and friends
12
+ * Add deserialization warning for `Oj.load/object_load`
13
+ * Add initial Rails 6 support
14
+ * Add SQL injection checks for `destroy_by`/`delete_by`
15
+
1
16
  # 4.5.0
2
17
 
3
18
  * Update `ruby_parser`, use `ruby_parser-legacy`
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
2
2
 
3
- [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
3
+ [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
4
4
  [![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
5
5
  [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
6
6
  [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
@@ -47,25 +47,25 @@ Outside of Rails root:
47
47
 
48
48
  From a Rails application's root directory:
49
49
 
50
- docker run -v "$(pwd)":/code brakeman
50
+ docker run -v "$(pwd)":/code presidentbeef/brakeman
51
51
 
52
52
  With a little nicer color:
53
53
 
54
- docker run -v "$(pwd)":/code brakeman --color
54
+ docker run -v "$(pwd)":/code presidentbeef/brakeman --color
55
55
 
56
56
  For an HTML report:
57
57
 
58
- docker run -v "$(pwd)":/code brakeman -o brakeman_results.html
58
+ docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html
59
59
 
60
60
  Outside of Rails root (note that the output file is relative to path/to/rails/application):
61
61
 
62
- docker run -v 'path/to/rails/application':/code brakeman -o brakeman_results.html
62
+ docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html
63
63
 
64
64
  # Compatibility
65
65
 
66
66
  Brakeman should work with any version of Rails from 2.3.x to 5.x.
67
67
 
68
- Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.
68
+ Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
69
69
 
70
70
  # Basic Options
71
71
 
@@ -55,6 +55,9 @@ module Brakeman
55
55
  # * :print_report - if no output file specified, print to stdout (default: false)
56
56
  # * :quiet - suppress most messages (default: true)
57
57
  # * :rails3 - force Rails 3 mode (automatic)
58
+ # * :rails4 - force Rails 4 mode (automatic)
59
+ # * :rails5 - force Rails 5 mode (automatic)
60
+ # * :rails6 - force Rails 6 mode (automatic)
58
61
  # * :report_routes - show found routes on controllers (default: false)
59
62
  # * :run_checks - array of checks to run (run all if not specified)
60
63
  # * :safe_methods - array of methods to consider safe
@@ -99,6 +102,10 @@ module Brakeman
99
102
  elsif options[:rails5]
100
103
  options[:rails3] = true
101
104
  options[:rails4] = true
105
+ elsif options[:rails6]
106
+ options[:rails3] = true
107
+ options[:rails4] = true
108
+ options[:rails5] = true
102
109
  end
103
110
 
104
111
  options[:output_formats] = get_output_formats options
@@ -1,4 +1,5 @@
1
1
  require 'pathname'
2
+ require 'brakeman/file_path'
2
3
 
3
4
  module Brakeman
4
5
  class AppTree
@@ -62,31 +63,37 @@ module Brakeman
62
63
  @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
63
64
  @relative_engine_paths = @engine_paths - @absolute_engine_paths
64
65
  @gemspec = nil
66
+ @root_search_pattern = nil
65
67
  end
66
68
 
67
- def expand_path(path)
68
- File.expand_path(path, @root)
69
+ # Create a new Brakeman::FilePath
70
+ def file_path(path)
71
+ Brakeman::FilePath.from_app_tree(self, path)
69
72
  end
70
73
 
71
- def read(path)
72
- File.read(File.join(@root, path))
74
+ # Should only be used by Brakeman::FilePath.
75
+ # Use AppTree#file_path(path).absolute instead.
76
+ def expand_path(path)
77
+ File.expand_path(path, @root)
73
78
  end
74
79
 
75
- # This variation requires full paths instead of paths based
76
- # off the project root. I'd prefer to get all the code outside
77
- # of AppTree using project-root based paths (e.g. app/models/user.rb)
78
- # instead of full paths, but I suspect it's an incompatible change.
79
- def read_path(path)
80
- File.read(path)
80
+ # Should only be used by Brakeman::FilePath
81
+ # Use AppTree#file_path(path).relative instead.
82
+ def relative_path(path)
83
+ pname = Pathname.new path
84
+ if path and not path.empty? and pname.absolute?
85
+ pname.relative_path_from(Pathname.new(self.root)).to_s
86
+ else
87
+ path
88
+ end
81
89
  end
82
90
 
83
91
  def exists?(path)
84
- File.exist?(File.join(@root, path))
85
- end
86
-
87
- # This is a pair for #read_path. Again, would like to kill these
88
- def path_exists?(path)
89
- File.exist?(path)
92
+ if path.is_a? Brakeman::FilePath
93
+ path.exists?
94
+ else
95
+ File.exist?(File.join(@root, path))
96
+ end
90
97
  end
91
98
 
92
99
  def initializer_paths
@@ -111,7 +118,7 @@ module Brakeman
111
118
  end
112
119
 
113
120
  def lib_paths
114
- @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } +
121
+ @lib_files ||= find_paths("lib").reject { |path| path.relative.include? "/generators/" or path.relative.include? "lib/tasks/" or path.relative.include? "lib/templates/" } +
115
122
  find_additional_lib_paths +
116
123
  find_helper_paths +
117
124
  find_job_paths
@@ -125,7 +132,7 @@ module Brakeman
125
132
  if gemspecs.length > 1 or gemspecs.empty?
126
133
  @gemspec = false
127
134
  else
128
- @gemspec = File.basename(gemspecs.first)
135
+ @gemspec = file_path(File.basename(gemspecs.first))
129
136
  end
130
137
  end
131
138
 
@@ -155,7 +162,8 @@ module Brakeman
155
162
 
156
163
  def select_files(paths)
157
164
  paths = select_only_files(paths)
158
- reject_skipped_files(paths)
165
+ paths = reject_skipped_files(paths)
166
+ convert_to_file_paths(paths)
159
167
  end
160
168
 
161
169
  def select_only_files(paths)
@@ -190,8 +198,8 @@ module Brakeman
190
198
  def root_search_pattern
191
199
  return @root_search_pattern if @root_search_pattern
192
200
 
193
- abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
194
- rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
201
+ abs = @absolute_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
202
+ rel = @relative_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
195
203
 
196
204
  roots = ([@root] + abs).join(",")
197
205
  rel_engines = (rel + [""]).join("/,")
@@ -199,7 +207,11 @@ module Brakeman
199
207
  end
200
208
 
201
209
  def prioritize_concerns paths
202
- paths.partition { |path| path.include? "concerns" }.flatten
210
+ paths.partition { |path| path.relative.include? "concerns" }.flatten
211
+ end
212
+
213
+ def convert_to_file_paths paths
214
+ paths.map { |path| file_path(path) }
203
215
  end
204
216
  end
205
217
  end
@@ -109,13 +109,13 @@ class Brakeman::Checks
109
109
 
110
110
  #Run all the checks on the given Tracker.
111
111
  #Returns a new instance of Checks with the results.
112
- def self.run_checks(app_tree, tracker)
112
+ def self.run_checks(tracker)
113
113
  checks = self.checks_to_run(tracker)
114
114
  check_runner = self.new :min_confidence => tracker.options[:min_confidence]
115
- self.actually_run_checks(checks, check_runner, app_tree, tracker)
115
+ self.actually_run_checks(checks, check_runner, tracker)
116
116
  end
117
117
 
118
- def self.actually_run_checks(checks, check_runner, app_tree, tracker)
118
+ def self.actually_run_checks(checks, check_runner, tracker)
119
119
  threads = [] # Results for parallel
120
120
  results = [] # Results for sequential
121
121
  parallel = tracker.options[:parallel_checks]
@@ -127,10 +127,10 @@ class Brakeman::Checks
127
127
 
128
128
  if parallel
129
129
  threads << Thread.new do
130
- self.run_a_check(c, error_mutex, app_tree, tracker)
130
+ self.run_a_check(c, error_mutex, tracker)
131
131
  end
132
132
  else
133
- results << self.run_a_check(c, error_mutex, app_tree, tracker)
133
+ results << self.run_a_check(c, error_mutex, tracker)
134
134
  end
135
135
 
136
136
  #Maintain list of which checks were run
@@ -196,8 +196,8 @@ class Brakeman::Checks
196
196
  end
197
197
  end
198
198
 
199
- def self.run_a_check klass, mutex, app_tree, tracker
200
- check = klass.new(app_tree, tracker)
199
+ def self.run_a_check klass, mutex, tracker
200
+ check = klass.new(tracker)
201
201
 
202
202
  begin
203
203
  check.run_check
@@ -27,9 +27,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
27
27
  end
28
28
 
29
29
  #Initialize Check with Checks.
30
- def initialize(app_tree, tracker)
30
+ def initialize(tracker)
31
31
  super()
32
- @app_tree = app_tree
32
+ @app_tree = tracker.app_tree
33
33
  @results = [] #only to check for duplicates
34
34
  @warnings = []
35
35
  @tracker = tracker
@@ -143,11 +143,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
143
143
  def warn options
144
144
  extra_opts = { :check => self.class.to_s }
145
145
 
146
- warning = Brakeman::Warning.new(options.merge(extra_opts))
147
- warning.file = file_for warning
148
- warning.relative_path = relative_path(warning.file)
146
+ if options[:file]
147
+ options[:file] = @app_tree.file_path(options[:file])
148
+ end
149
149
 
150
- @warnings << warning
150
+ @warnings << Brakeman::Warning.new(options.merge(extra_opts))
151
151
  end
152
152
 
153
153
  #Run _exp_ through OutputProcessor to get a nice String.
@@ -476,11 +476,11 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
476
476
  if gem_name and info = tracker.config.get_gem(gem_name)
477
477
  info
478
478
  elsif @app_tree.exists?("Gemfile")
479
- "Gemfile"
479
+ @app_tree.file_path "Gemfile"
480
480
  elsif @app_tree.exists?("gems.rb")
481
- "gems.rb"
481
+ @app_tree.file_path "gems.rb"
482
482
  else
483
- "config/environment.rb"
483
+ @app_tree.file_path "config/environment.rb"
484
484
  end
485
485
  end
486
486
 
@@ -33,6 +33,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
33
33
 
34
34
  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
35
35
 
36
+ def initialize *args
37
+ super
38
+ @matched = @mark = false
39
+ end
40
+
36
41
  #Run check
37
42
  def run_check
38
43
  setup
@@ -6,6 +6,11 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
6
6
 
7
7
  @description = "Checks for default routes"
8
8
 
9
+ def initialize *args
10
+ super
11
+ @actions_allowed_on_controller = nil
12
+ end
13
+
9
14
  #Checks for :allow_all_actions globally and for individual routes
10
15
  #if it is not enabled globally.
11
16
  def run_check
@@ -9,6 +9,7 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
9
9
  check_yaml
10
10
  check_csv
11
11
  check_marshal
12
+ check_oj
12
13
  end
13
14
 
14
15
  def check_yaml
@@ -23,6 +24,26 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
23
24
  check_methods :Marshal, :load, :restore
24
25
  end
25
26
 
27
+ def check_oj
28
+ check_methods :Oj, :object_load # Always unsafe, regardless of mode
29
+
30
+ unsafe_mode = :object
31
+ safe_default = oj_safe_default?
32
+
33
+ tracker.find_call(:target => :Oj, :method => :load).each do |result|
34
+ call = result[:call]
35
+ options = call.second_arg
36
+
37
+ if options and hash? options and mode = hash_access(options, :mode)
38
+ if symbol? mode and mode.value == unsafe_mode
39
+ check_deserialize result, :Oj
40
+ end
41
+ elsif not safe_default
42
+ check_deserialize result, :Oj
43
+ end
44
+ end
45
+ end
46
+
26
47
  def check_methods target, *methods
27
48
  tracker.find_call(:target => target, :methods => methods ).each do |result|
28
49
  check_deserialize result, target
@@ -53,4 +74,35 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
53
74
  :link_path => "unsafe_deserialization"
54
75
  end
55
76
  end
77
+
78
+ private
79
+
80
+ def oj_safe_default?
81
+ safe_default = false
82
+
83
+ # TODO: Can we just index initializers already??
84
+ if tracker.check_initializers(:Oj, :mimic_JSON).any?
85
+ safe_default = true
86
+ end
87
+
88
+ if result = tracker.check_initializers(:Oj, :default_options=).first
89
+ options = result.call.first_arg
90
+
91
+ if oj_safe_mode? options
92
+ safe_default = true
93
+ end
94
+ end
95
+
96
+ safe_default
97
+ end
98
+
99
+ def oj_safe_mode? options
100
+ if hash? options and mode = hash_access(options, :mode)
101
+ if symbol? mode and mode != :object
102
+ return true
103
+ end
104
+ end
105
+
106
+ false
107
+ end
56
108
  end
@@ -43,6 +43,6 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
43
43
  end
44
44
 
45
45
  def potentially_dangerous? method_name
46
- method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
46
+ method_name.match(/^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/)
47
47
  end
48
48
  end
@@ -0,0 +1,27 @@
1
+ class Brakeman::CheckForceSSL < Brakeman::BaseCheck
2
+ Brakeman::Checks.add_optional self
3
+
4
+ @description = "Check that force_ssl setting is enabled in production"
5
+
6
+ def run_check
7
+ return if tracker.config.rails.empty? or tracker.config.rails_version.nil?
8
+ return if tracker.config.rails_version < "3.1.0"
9
+
10
+ force_ssl = tracker.config.rails[:force_ssl]
11
+
12
+ if false? force_ssl or force_ssl.nil?
13
+ line = if sexp? force_ssl
14
+ force_ssl.line
15
+ else
16
+ 1
17
+ end
18
+
19
+ warn :warning_type => "Missing Encryption",
20
+ :warning_code => :force_ssl_disabled,
21
+ :message => msg("The application does not force use of HTTPS: ", msg_code("config.force_ssl"), " is not enabled"),
22
+ :confidence => :high,
23
+ :file => "config/environments/production.rb",
24
+ :line => line
25
+ end
26
+ end
27
+ end
@@ -5,6 +5,11 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
5
5
 
6
6
  @description = "Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269"
7
7
 
8
+ def initialize *args
9
+ super
10
+ @uses_json_parse = nil
11
+ end
12
+
8
13
  def run_check
9
14
  check_cve_2013_0333
10
15
  check_cve_2013_0269
@@ -34,7 +34,12 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
34
34
  #an ignored method call by the code above.
35
35
  call = result[:call] = result[:call].dup
36
36
  @matched = false
37
- url_arg = process call.second_arg
37
+
38
+ url_arg = if result[:block]
39
+ process call.first_arg
40
+ else
41
+ process call.second_arg
42
+ end
38
43
 
39
44
  if check_argument? url_arg
40
45
  url_arg = url_arg.first_arg
@@ -24,7 +24,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
24
24
  :warning_code => :CVE_2011_0446,
25
25
  :message => message,
26
26
  :confidence => :high,
27
- :gem_info => gemfile_or_environment,
27
+ :gem_info => gemfile_or_environment, # Probably ignored now
28
28
  :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
29
29
  end
30
30
  end